This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
checkblast
Participant
‎2022-01-09 10:36 PM

[Quantum Spark - Invalid Segment Retransmission. Packet Dropped]

Hi guys,

 

I am getting some issues when working over a third party remote VPN connection through a Quantum Spark.

The Quantum Spark is configured in Bridge mode with all security services activated.

The third party VPN client establishes correctly and we are able to ping the remote servers.

As the RDP session is launched the VPN session is disconnected.

Attached is the error message seen in the logs.

 

Regards,

Preview file
60 KB
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2022-01-09 11:55 PM

Are you sure this is the only log from that time of failed tunnel? It does not seem to be relevant to either RDP or VPN 

0 Kudos
checkblast
Participant
‎2022-01-11 01:10 PM
In response to _Val_

Hi.

The 3rd party VPN client is DrayTek Smart VPN which is used to connect to a remote gateway over the Internet through the Quantum Spark. As per tests conducted the problem is observed when the Fast SSL option is activated on the VPN client.

When the Fast SSL option is activated on the client, the VPN session is established and ping to remote servers work fine. When initiating RDP sessions, the VPN session is disconnected.

When the Fast SSL option is disabled on the client, the VPN session is established and ping to remote servers work fine. RDP sessions also work seamlessly..

As per logs, a packet drop is noticed when initiating the sessions with the Fast SSL option activated.

See attachment.

Regards,

Preview file
205 KB
0 Kudos
the_rock
Champion
Champion
‎2022-01-11 01:48 PM
In response to checkblast

I could be wrong when I say this, but based on screenshot you attached, it would appear its potentially IPS issue, though it gives attack name, but there is no confidence level.

Andy

0 Kudos
_Val_
Admin
Admin
‎2022-01-12 12:50 AM
In response to checkblast

Please open a TAC case for this

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-01-12 01:25 AM
In response to checkblast

Why not disable Fast SSL option ?

CCSE CCTE SMB Specialist
0 Kudos
Timothy_Hall
Champion
Champion
‎2022-01-13 07:31 PM

I'm not able to determine what "Fast SSL" means from the DrayTek documentation, but I did see that this setting is now disabled by default in the later 2019 releases.  I'd guess perhaps it shortens the TCP retransmit timers so that it is more more "impatient", particularly when negotiating the initial HTTPS connection for the VPN.  It is possible that it isn't getting a fast enough response for its impatience and is retransmitting before it is supposed to based on RTT, and running afoul of the Inspection Setting "Invalid TCP Retransmission".  This enforcement will basically stall the HTTPS/443 connection in this case and result in the disconnection of the VPN.  

Try changing the Inspection Setting "Invalid TCP Retransmission" from Drop to Accept on the firewall and see if Fast SSL still works.  I'd really not advise leaving this protection in the Accept state though, and believe that disabling Fast SSL would be a better solution as clearly whatever that feature is doing is not RFC compliant.

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
0 Kudos